All incidents

Europol-led operation shuts down First VPN service

campaignclosedMay 21, 2026 — May 21, 2026
Europol-led operation shuts down First VPN service

AUTHORITIES in France and the Netherlands, acting under Europol coordination, have taken down the First VPN service that was favoured by ransomware groups and other cybercriminals. The operation led to the arrest of the service’s administrator in Ukraine and the seizure of thirty three servers and three associated domains. The action took place over the nineteenth and twentieth of May 2026 and marks a significant blow to a tool that had facilitated numerous extortion campaigns. Investigators also noted that the shutdown disrupted several underground forums where the VPN was recommended as a trusted anonymity layer. This loss of a reliable proxy is expected to force cybercriminals to seek less stable alternatives, increasing their operational risk.

First VPN was advertised on Russian‑language forums as a tool for anonymity, allowing users to mask their activity while conducting illicit operations such as ransomware deployment and fraud, according to reports from databreaches.net. Investigators uncovered that the infrastructure consisted of thirty three servers hosted across multiple providers, which were simultaneously taken offline during the raid. The service did not rely on any known vulnerability, so no CVE identifiers are associated with the takedown. Instead, its value to criminals lay in the promise of untraceable connectivity for payload distribution and command‑and‑control traffic. Threat actors used the service to hide the origins of ransomware binaries and to communicate with affiliate networks without exposing their real IP addresses.

Access to the VPN’s user database gave law enforcement insight into more than five hundred individuals linked to various cybercrimes, as noted by Infosecurity Magazine. Europol said the information has already assisted twenty one active investigations and will feed into future operations. The data includes usernames, timestamps and source IP addresses that enable investigators to trace back ransomware payloads to specific affiliates. In addition, the seized logs are being shared through trusted information sharing platforms to help other countries identify related infrastructure. No specific threat actor group has been publicly tied to the service, though the user base overlaps with several known ransomware syndicates.

The takedown shows how disrupting a seemingly legitimate service can cut off a key enabler for ransomware actors. Bitdefender contributed technical analysis that helped map the network and identify the administrators. Their researchers provided malware samples and network traffic captures that confirmed the VPN’s role in hiding malicious communications. Such private‑sector assistance is increasingly common in cross‑border operations targeting criminal infrastructure. The case highlights the value of combining police work with industry expertise to dismantle complex cybercrime ecosystems.

Security teams should review logs for any connections to the seized IP addresses and domains and block them at the perimeter. Updating threat intelligence feeds with the indicators shared by Europol will help prevent future abuse of similar services. Organisations are also advised to search for anomalous VPN usage patterns that might

Intelligence briefing updated Jun 10, 2026

Root sourcewww.europol.europa.eu
Timeline Coverage

Swipe to explore timeline